Change default min TLS version to TLS 1.0
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index b9735b4..45a6902 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -161,9 +161,6 @@
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" );
- /* SSLv3 is deprecated, set minimum to TLS 1.0 */
- ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
-
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 9259976..67d2955 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -83,7 +83,7 @@
#define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0
#define DFL_EXCHANGES 1
-#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
+#define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1
#define DFL_ARC4 -1
#define DFL_AUTH_MODE -1
@@ -250,8 +250,8 @@
USAGE_RECSPLIT \
"\n" \
" arc4=%%d default: (library default: 0)\n" \
- " min_version=%%s default: \"\" (ssl3)\n" \
- " max_version=%%s default: \"\" (tls1_2)\n" \
+ " min_version=%%s default: (library default: tls1)\n" \
+ " max_version=%%s default: (library default: tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
"\n" \
@@ -1197,17 +1197,17 @@
}
#endif
- if( opt.min_version != -1 )
+ if( opt.min_version != DFL_MIN_VERSION )
{
ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
- if( ret != 0 && opt.min_version != DFL_MIN_VERSION )
+ if( ret != 0 )
{
polarssl_printf( " failed\n ! selected min_version is not available\n" );
goto exit;
}
}
- if( opt.max_version != -1 )
+ if( opt.max_version != DFL_MAX_VERSION )
{
ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
if( ret != 0 )
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 451b1a8..72d74b2 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -258,10 +258,6 @@
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
- /* SSLv3 is deprecated, set minimum to TLS 1.0 */
- ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3,
- SSL_MINOR_VERSION_1 );
-
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio_timeout( &ssl, &client_fd, net_send, net_recv, NULL, 0 );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 2a20fbd..55d7f87 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -602,9 +602,6 @@
* but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
- /* SSLv3 is deprecated, set minimum to TLS 1.0 */
- ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
-
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 );
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index ece8ad2..9702ab1 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -168,9 +168,6 @@
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
- /* SSLv3 is deprecated, set minimum to TLS 1.0 */
- ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
-
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 34cfa8c..2e4fcd8 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -197,9 +197,6 @@
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
- /* SSLv3 is deprecated, set minimum to TLS 1.0 */
- ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
-
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index c2beec7..f3e2955 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -99,7 +99,7 @@
#define DFL_RENEGO_DELAY -2
#define DFL_RENEGO_PERIOD -1
#define DFL_EXCHANGES 1
-#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
+#define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1
#define DFL_ARC4 -1
#define DFL_AUTH_MODE -1
@@ -316,8 +316,8 @@
USAGE_ETM \
"\n" \
" arc4=%%d default: (library default: 0)\n" \
- " min_version=%%s default: \"ssl3\"\n" \
- " max_version=%%s default: \"tls1_2\"\n" \
+ " min_version=%%s default: (library default: tls1)\n" \
+ " max_version=%%s default: (library default: tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
"\n" \
@@ -1734,17 +1734,17 @@
}
#endif
- if( opt.min_version != -1 )
+ if( opt.min_version != DFL_MIN_VERSION )
{
ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
- if( ret != 0 && opt.min_version != DFL_MIN_VERSION )
+ if( ret != 0 )
{
polarssl_printf( " failed\n ! selected min_version is not available\n" );
goto exit;
}
}
- if( opt.max_version != -1 )
+ if( opt.max_version != DFL_MIN_VERSION )
{
ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
if( ret != 0 )